How to generate a session for Electron deep link auth without asking to log in again?

[igorlanko]

I'm trying to figure out a way to use web app as the authorization point into an Electron desktop app, so that user doesn't need to enter login/password again if they're already logged into the website, but instead just get redirected back to the desktop app via deep link with a auth success of some sort. Similar to how Spotify or Figma desktop apps work.

What I tried

• open site.com/auth/login?desktop=true from Electron using default user's browser;
• complete auth check, do getSession() / refreshSession(), and deep link back electron.app://auth?access_token=123&refresh_token=123;
• setSession({ access_token, refresh_token }) in the desktop app.

This approach is problematic, because refreshSession() still uses the same JWT, so when user logs out, it invalidates web app's JWT.

• I also did consider just duplicating web app's login/password experience in the desktop app, but I have Turnstile CAPTCHA turned on at the Supabase Auth level, and Cloudflare Turnstile does not play well with the app's URL schemas in the allowed domains config. Apparently it expects an https:// domains only.

Thank you!

[yafkari]

Did you manage to do what you wanted?

[igorlanko]

Yes, actually! Though it's been quite some time, the refreshSession() is definitely not a suitable method for deep linking.

Instead, we need to get the hashed_token somehow, so that it's sent back to the app and the app creates a separate session with auth.verifyOtp().

So what I'm doing is sending user to site.com/auth/login?desktop=true, they complete login, server takes the new session, gets the user email from auth.getUser(), and then completely unexpected (for me):

// Generate magic link for user
// obviously need a service role key for this,
// so ensure it's secure
const { data: magicLink, error: magicLinkErr } = await supabaseAdmin.auth.admin.generateLink({
   type: 'magiclink',
   email
})

// Extract pkce/otp from the magic link
const hashed_token = magicLink.properties?.hashed_token

// send hashed token to the app for verification and login
redirect(301, `desktop.app://auth?hashed_token=${hashed_token}`)

Then in the app, where I catch the opened URI, I do:

const logInWithHash = async ({ hashedToken }: { hashedToken: string }) => {
   const { data, error } = await supabase.auth.verifyOtp({
      token_hash: hashedToken,
      type: 'email'
   })

   return data
}

const { session } = await logInWithHash({ hashedToken: hashed_token })

And now the app has a completely separate session. Not sure if this is ideal, has its flaws, but that's apparently the only way (at least at the time) to obtain a hash.

[yafkari]

Hahha thought of cheating like that but wasn't gonna try that before a while. Thanks a lot for sharing Igor!

[jczstudios]

Have also used a similar method, would be very helpful if we got a new admin Auth API for Supabase to support generating a session with just a user ID to help with this situations!

[jparismorgan]

Is this still the suggested way to achieve this even after asymmetric JWTs have been rolled out?